Spreedly Blog

Marketplaces and Platforms: The Rise of Payment Methods

Not too long ago it was accurate to see separate challenges facing U.S. marketplaces versus those in the rest of the world. In the U.S., a marketplace targeting an installed merchant base had the daunting task of supporting a very large number of payment gateways, but the compensating benefit of nearly universal penetration of credit and debit cards greatly simplifying what payment methods they needed to support. In Europe and the rest of the world the available payment gateways (PSP’s) were much more limited and regional, but there was a big challenge around supporting all the non credit card, typically regional payment methods that consumers prefer. In the German market alone, bank to bank payments make up more than 50% of transactions that happen online, which is a huge contrast to the US.

Things are beginning to change in the U.S., however. Inputting card data into a web browser is relatively easy, but a mobile browser is a different story, and that’s making all participants in the ecosystem more interested in using “one click” payment buttons. In just the last two years we’ve had Apple Pay, Android Pay, Samsung Pay and Visa Checkout, and just this month American Express jumped into the fray with AMEX express checkout.

In addition to the challenge of mobile payments, PayPal is changing the payments landscape in the U.S. (again). Newly liberated from eBay, PayPal now has free reign to pursue its own agenda, and is in the unenviable position of being a threat to nearly everyone. The card networks dislike PayPal as they encourage transactions that avoid the card network rails, with the Visa CEO recently noting on an earnings call: “…that PayPal uses Visa transactions as a vein to “mine from” and possibly disintermediate the relationship between Visa and clients and is something that is “not sustainable for the long term.” Mobile OS providers like Apple Pay also view PayPal as a threat because PayPal as a payment method is cross platform and thus removes tie in to any particular mobile OS or phone. (Total aside: if Apple Pay ever gains real traction from a transaction perspective I could see Google buying PayPal – if it’s still on the market at that time.) Further, PayPal also owns and controls Venmo, one of the fastest growing peer to peer payment methods, which is yet another threat to many of the other payments players.

So the arrival of mobile is changing how consumers actually pay, which is creating the sense that it’s a unique time when there will be real change in consumer payment activities, and thus the potential for a wholesale re-drawing of marketshare. The threat is a newly independent PayPal might be able to capture a good chunk of that given their head start in running their own ecosystem, combined with their cross platform and channel abilities. It all adds up to a surge in interest around non credit card payment methods.

To be clear actual adoption of these new payment methods is currently extremely low and there’s no guarantee they’ll succeed. The switch from web to mobile is moving people from the browser to apps and that in turn could dramatically reduce the number of times someone has to enter their credit card. Three or four years ago you would have used a web browser on SeatGeek to search for tickets and then clicked on the referral link to go to a third party site where you added your credit card and bought the tickets. If you used SeatGeek six times a year to search for and buy tickets that was six different times you put card details into a website. Now on SeatGeek mobile you set up your payment details once and never have to re-enter them again as they’re routing the payment for you behind the scenes. It’s not hard to see in the future having your card on file with a handful of the vertical apps you use most (some basket of Uber, HotelTonight, SeatGeek, Zomato, etc.) and a few dominant horizontal apps (Google, Amazon, Pinterest, etc.). So while mobile makes it harder to input card data, mobile app usage is greatly reducing the number of times per year we input card data at all.

Up till now, U.S. businesses have largely stuck to just accepting credit cards wherever possible. It will be interesting to watch and see if the advent of new payment methods force merchants and platforms to adopt non credit card payment methods in a meaningful way, and if they do, I suspect the first one most would add would be PayPal.

Spreedly aims to help our customers by adding those payment methods that gain real consumer traction through ever more friendly mobile and self checkout tools. We’re extremely interested to see what the payment method landscape looks like in three or more years from today, and can’t wait to continue supporting our customers in their effort to stay relevant as the territory changes.

Passing $1 billion in annual payment volume

We’re pleased to announce that in June 2015, 28 months after launching our new service and pivoting away from subscriptions, we’re now seeing more than $1 billion handled by the Spreedly platform annually. For context, in June 2014 we were running at an annualized payment volume of just over $300 million.

Since Spreedly is software as a service, we don’t directly take a percentage of revenue. Nevertheless, as a payments company this is a key milestone that reflects the value we provide marketplaces and platforms via a universal credit card tokenization offering that works with a world of financial partners.

Thanks to our all of our customers, from the earliest to the most recent, for trusting us with your business and enabling us to hit this milestone. We understand our criticality to your business and hope you draw additional encouragement from our growth.

Next stop: $10 billion!

Spreedly Disbursements Beta

Marketplaces, services that allow two or more groups of people to conduct commerce, come in a variety of forms. Consider service-based marketplaces like Uber or TaskRabbit, product-based marketplaces like Etsy, and event marketplaces like StubHub. While these marketplaces all serve different purposes, their common thread is in the need to federate the transfer of funds from a buyer to a seller. Collecting payments from buyers with Spreedly’s support of almost one hundred gateways has long been possible. Today we’re pleased to announce support for the other side of the marketplace equation: disbursements and payouts.

Disbursements and payouts are synonymous and are the compliment to collecting payments. While many traditional e-commerce businesses are only concerned with collecting funds, online marketplaces require the ability to distribute funds as well. Spreedly Disbursements is designed to do just this – allow marketplaces to disburse funds to individuals across a variety of services. When used in concert with our existing payments support, Spreedly is the perfect platform for facilitating marketplace commerce.

Our private beta starts today with initial support for payouts to PayPal accounts. Over the coming weeks we look forward to hearing from interested customers as we add support for a wide variety of disbursement endpoints. Please let us know if you’re interested in using disbursements for your marketplace and what additional providers you’d like to see.

Introducing support for third party tokens

One of Spreedly’s core features is the ability to generate a universal credit card token that will work across any of the 100+ endpoints that we support today. This helps platforms and marketplaces create a frictionless payments experience by separating tokenization and card data storage from the gateway processing the transaction. This is powerful because it allows buyers on your platform to purchase from different sellers without re-entering their card data.

When a new merchant signs-up to a Spreedly-powered platform or marketplace, they’ll typically ask their third party vault to do a one-time export of their existing card data and we then re-map that data to a universal Spreedly token. But what about cases where that’s not possible? Perhaps the third party vault doesn’t believe in data portability or charges prohibitively expensive fees for a merchant to get their data out. Previously there was no good solution, but now with our ability to support third party tokens a merchant can continue to process transactions using their existing gateway-specific tokens from within their Spreedly environment. Then, as new customers are acquired (using our PCI compliant payment forms) or existing ones update their payment details, the merchant can progressively move their entire customer base to Spreedly’s universal token solution that will work across any of our supported gateways or API endpoints.

While the third party token will only work against a specific endpoint, it’s a great way for Spreedly customers to rapidly onboard new merchants to their platform that are happy with their existing gateway for the foreseeable future. Support for third party tokens is available for the list of gateways where we support third party vaulting.

Mobile, Marketplaces and Platforms

The transition from web to mobile includes a consumer behavioral change of using mobile apps instead of a web browser. This transition is changing the way commerce happens online, since consumers are less likely to enter their CC data into a mobile app due to the form factor. Further, redirecting users to a third party site for a transaction was workable in a web browser but can be a disastrous user experience in a mobile/app world, with many third parties having poor flows on the web that are horrific on mobile. A poor purchase flow hurts all 3 parties involved – consumer, merchant, and payment provider – as it results in much lower conversion rates.

One point of proof of this change was the announcement this week that Google is going to roll out a “Buy Now” button.  Just a few years ago consumers ready to buy a product would pull up a web browser, search on Google, click an ad and go to the website, enter in their CC and all their address information and purchase the product. In a mobile world they now open their Amazon app, search for the product, click buy and get free shipping via Prime. Google sees this as a major threat since it pulls away searchers intent on buying, who in turn are the consumers that advertisers are willing to pay to reach.

This new type of consumer buying behavior creates several risks and opportunities for merchants. The first thing is the “marketplaceization” of online commerce (yes I totally just made that up). For ease and security reasons consumers will only want to work with a finite number of apps on their mobile devices. Those apps will need to include search (choice) and payment (security and ease). The result of these pressures will result in 3 to 4 very large cross vertical marketplaces – Amazon, Alibaba, and Google if they can pull it off – and a host of focused vertical marketplaces: travel, business services, transportation, ticketing, donations, healthcare, etc.

If I’m making an impulse buy to purchase two tickets to the Durham Bulls baseball game tonight I’m going to want to open SeatGeek, search quickly, get a recommendation on the best value seats then click the buy button and be done. There’s a chance I’ll download the Durham Bulls or MLB mobile app, get comfortable with the UI, enter my card data and address and then buy, but the conversion percentage drops dramatically especially in the context of an impulse buy. That’s why these marketplaces can work for all 3 participants. The consumer is happier, the marketplace is driving incremental sales (discovery) and/or higher conversion rates than a stand alone app, and the merchant moves more product.

Spreedly is focused on enabling the payments component for platforms and marketplaces. Discovery and search apps ready to enable commerce need to securely store a card once and then allow the consumer to buy multiple times across all the different merchants on their platform or in their marketplace. That could mean using Stripe Connect or WePay to create a merchant account for sellers (a common approach we see new startups just launching take), but larger merchants tend to already have a merchant account and feel strongly about being the merchant of record and are adamant about not using something new. And there may be a need to transact against existing 3rd party API’s – Expedia, StubHub, Walmart, etc. – to pass in orders, a use case traditional payment providers don’t support. Spreedly is a tool that marketplaces can leverage to support all 3 choices in any combination they need, and improves the experience for all parties involved.

To be sure, web/browser based commerce isn’t going away soon. However as online commerce grows within mobile apps the winners of each vertical will tie together discovery, selection, payment, and customer satisfaction. Merchants may fear the power of their vertical leaders but they may also see reduced development costs and incremental revenue by effectively outsourcing their development and advertising efforts.

Credit Card Portability

It wasn’t too long ago that nearly all online payment gateways refused to return your credit card data when closing your account. It was the ultimate case of lock-in; you can change to a new merchant account and payment gateway but you’ll be asking all of your customers to re-enter their credit card data.

Braintree really deserves the credit as the first payment company to reject this approach. They even helped create the Credit Card Data Portability group. It was probably helped that at the time they were the new payment provider on the block seeing a lot of potential customers locked to their old providers.

At Spreedly, we’ve embraced the concept of card portability from the very beginning. Now we’re taking it a step further. You no longer even have to ask Spreedly to get your data back. Via our API, you can securely move card data from your PCI secure Spreedly environment directly into that of a PCI compliant gateway. The caveat is that the gateway has to support the concept. You can learn more about it here in our docs. 

If your preferred gateway isn’t supported we’ll still do a manual export upon request. However over time we expect to be continuously expanding the list of supported gateways over time. Our goal here is the ultimate flexibility and peace of mind.

Spreedly Releases Universal Apple Pay Support

Spreedly helps minimize PCI compliance scope and reduce development costs for platforms and merchants that work with multiple payment gateways and/or third party order processing API’s. We do that via a universal credit card token that you store once but use anywhere. We want that story to remain the same as we add support for mobile platform payment services like Apple Pay. We now support the ability to use Apple Pay payments across compatible endpoints, without being locked into a single gateway. Here’s how it works:

  1. You provision your Apple Pay certificate from Spreedly instead of any single gateway.
  2. To execute a transaction, send the Apple Pay payment token to Spreedly along with the gateway you wish to execute against.
  3. Spreedly decrypts the payment token using your Apple Pay certificate and passes the decrypted card number and cryptogram to the gateway, which processes the transaction.

Having Spreedly manage the Apple Pay decryption has several benefits including: 1) the flexibility to process against more than one gateway within the same iOS application, 2) the freedom to change gateways without re-provisioning your certificate and having to release an app update, and 3) the ability to execute against non-gateway payments APIs.

The main requirement for Spreedly’s Apple Pay support during this beta period is that the endpoint’s API supports network tokenization (basically, that it accepts a card number and corresponding “cryptogram” which provides additional security and verification to the transaction). The introduction of Apple Pay has many providers adding support for network tokenization so please contact us if your gateway or endpoint is not yet supported by Spreedly.

Crossing $50 million per month

At Spreedly we’re challenging the status quo that a single payment stack is the right way to scale for web and mobile payments. December 2014 was our 22nd month since we (pivoted) launched Spreedly as a service that solves for the development and data ownership/PCI challenges in digital payments and maximizes the ease with where and how you transact with your data.  As the blog post title states our customers processed $50 million in credit card transactions on our platform for the month of December 2014.

Many of our earliest customers took a big gamble on relying on such a small startup to help power their payments. So we want to let you know that we’re making great progress and plan to be here for a long time in the future. And better still if you’re one of those who’s been on the fence come on in the water’s fine.

Using an iFrame Payment Form with Spreedly

PCI-DSS v3.0, which went into effect on January 1st of this year, mandates the use of an iFrame-based payment form for merchants wishing to minimize PCI compliance scope (defined as the ability to self-assess using the SAQ A questionnaire instead of the more onerous SAQ A-EP). We previously wrote about maintaining PCI compliance in light of the new PCI-DSS requirements and invited customers into our iFrame payment form private beta program. Since then we’ve worked with several customers to integrate the payment form into their payment page and are now making the iFrame payment form available to all customers as a public beta.

As a public beta, the iFrame payment form is functionally complete and available to all customers wishing to integrate it in their production systems. Although changes are expected before general availability, the iFrame form is implemented in a way that avoids breaking changes unless an upgrade is explicitly initiated.

We’ve created a sample app showing the iFrame payment form integrated into a typical checkout page, highlighting the ability to maintain a consistent UX even when using content served by Spreedly. As you begin the process of reassessing your PCI compliance in 2015, please review our iFrame payment form documentation and integrate it into your systems to lessen your PCI burden.

PCI-DSS v3.0 for Online Merchants

Nothing strikes fear in the heart of an online merchant quite like PCI-DSS – the set of “technical and operational requirements designed to protect cardholder data” put forth by the credit card networks (Visa, MasterCard, etc…). If you accept credit cards online, even if you’re not storing or processing those cards yourself, you need to be aware of its requirements and prepared to invest some time into compliance.

The recent upgrade of PCI-DSS from v2.0 to v3.0 introduced some important changes, making now a good time to review your steps to compliance as well as highlight what’s changed.

Do I have to get PCI certified?

If you accept credit cards from your customers then, yes[1].

Many gateways and online payment processing solutions will claim their drop-in credit card widgets exclude you from PCI compliance or make you PCI compliant. This is not true. Even if a third party is handling the collection, processing, and storage of protected cardholder data, you must still go through the PCI assessment process. What these type of solutions do, including Spreedly’s, is reduce your compliance burden. You still have to certify, but can often do so with much less effort than if you were processing and storing the card data yourself.

How do I get PCI certified?

PCI certification takes two forms: Self-assessment (i.e. do-it-yourself) or hiring a third party QSA (Qualified Security Assessor). Though there are obvious advantages to self-assessing, including effort and cost, your ability to self-asses is dependent on your annual transaction volume and is reflected in the resulting level of PCI certification (1-4) you attain.

The following table describes the relationship between your transaction volume, required assessment approach, and level of certification:

If you have… then you can… to achieve
less than 20,000 online transactions per year self-assess PCI Level 4 certification
between 20,000 and 1 million online transactions per year self-assess PCI Level 3 certification
between 1 million and 6 million online transactions per year self-assess PCI Level 2 certification
over 6 million online transactions per year hire an independent assessor (QSA) PCI Level 1 certification

Note: While PCI-DSS outlines the requirements to become certified, there are subtle differences across payment networks (the table above was created from the Visa merchant guidelines). It is ultimately up to your merchant/acquiring bank to determine what is required for your compliance. Please be sure to check with them before beginning the compliance process.

How do I self-assess?

If you are processing less than 6 million online transactions per year it’s quite likely you can self-assess. This is a good thing, but you’re not out of the woods yet. Depending on your level of involvement in handling card data, you may still need to complete a lengthy questionnaire and perform an extensive internal review.

Self-assessment for online merchants usually occurs by filling out one of three self-assessment questionnaires (SAQs). Listed in increasing order of scope they are SAQ A, SAQ A-EP and SAQ D. By way of comparison, the SAQ A has fourteen questions listed while the SAQ A-EP has over one hundred across almost thirty pages. Assessing under SAQ A is, for obvious reasons, the goal of most online merchants.

So can you use the SAQ A? It depends on your technology and provider choices, both of which dictate how card data passes from the consumer, through (or around) you, and onto your gateway:

If your systems… then use
do not touch, process or store cardholder data, and do not serve any card collection forms SAQ A
do not touch, process or store cardholder data, but do serve card collection forms SAQ A-EP
do touch, process or store cardholder data SAQ D

SAQ A-EP is a new questionnaire, as of PCI-DSS v3.0, and its distinction from SAQ A is a subtle but important one…

SAQ A vs. SAQ A-EP

Prior to PCI-DSS v3.0, merchants that used Javascript libraries or transparent-redirect forms from PCI DSS compliant third-party service providers were able to self-assess using SAQ A. These two approaches let the merchant host the payment page, with the sensitive card data being passed directly from the user’s browser to the gateway, bypassing the merchant all together.

With Version 3 of PCI, however, merchants can no longer even host the payment page if they wish to qualify for SAQ A. In order to qualify for SAQ A you must use a payment form that is hosted by and submits directly to the compliant third party. In pure browser technology terms this means that you must use an iFrame-delivered payment form or a hosted payment page from your payment processor[2].

Having a payment form that is served by and submitted to a compliant third party reduces the attack vectors by which a malicious party is able to gain access to a user’s entered credit card data. For instance, an attacker that gains access to your merchant systems can no longer compromise your payment page and siphon off card data before submitting it to the intended processor. The card payment form is protected from such intrusions by web browsers’ cross-domain security policies which limit the ability for pages on one domain to access the content of pages on another domain.

While there are always risks of compromise for any approach, PCI-DSS has determined that an iFrame or hosted payment form is less susceptible than an in-merchant form.

Spreedly customers wishing to switch to an iFrame-based payment form can contact us to take part in our iFrame beta program.

Proof of compliance

Once you have self-assessed using the appropriate questionnaire you will need to fill out an attestation of compliance, or AOC, to formally declare your PCI compliance results. If you have gone through a review led by an independent QSA, you will be issued an AOC.

In addition to the AOC, which needs to be reviewed and re-issued on an annual basis, you will need to sign up for a quarterly security scan of your systems from an outside provider. Together with the AOC, the quarterly scan verifies that you are maintaining your PCI compliance. An example of both the AOC and scan can be found on Spreedly’s PCI page.

Summary

PCI is not for the feint of heart, but it can be managed. When evaluating your compliance, keep the following in mind:

  • What level of compliance you need is determined by your merchant bank, informed by the number of annual transactions you are processing.
  • Self-assessing is less costly and time consuming, but is only an option for merchants seeking less than a PCI Level 1 certification.
  • If self-assessing, using a PCI compliant service provider that provides an iFrame or hosted payment page results in the least compliance burden.
  • An AOC, together with a quarterly scan, is your proof of PCI compliance.

Good luck out there!

Spreedly and “Buy Buttons”

For many years sellers on the Internet set up their website, hooked up a payment gateway and started selling, and buyers came from search engines, either via SEO or paid search. With the rise of social sites like Facebook, Twitter, and Pinterest merchants found a new avenue of traffic from social media. All these different channels employed advertising models to generate revenue while the merchant focused on e-commerce/payment/subscription models. Things were simple.

However, the rise of mobile at the expense of web has major impacts for “where” online commerce happens, with many online experiences moving from the web to device-based apps. In addition, Amazon has created a closed loop of mobile app, search, one click buy, deliver that is threatening Google’s dominance of search. This is creating enough of a threat that now Google might build a “buy now” button to try to protect themselves.

New startups, focused on social and search, have embraced optimizing the app experience – indeed some have ignored the need for a traditional website at all – so the rise of the mobile app is impacting the traditional flow of converting advertising to realizable commerce. Today, while end users are still being redirected to merchants to make the final purchase, often these experiences are starting on a mobile app with the end user being redirected to a more traditional web browser session to complete the process. Or perhaps they’re instead moving from an extremely good mobile app experience to a relatively poor one, which can be a jarring experience that impacts conversion rates. Either way, users – particularly social users – hate the disjointed experience and are frustrated by the inconsistent flow, often blaming both the merchant and the social platform. This has created demand for social platforms to optimize the e-commerce experience and ensure the checkout flow is as seamless as possible given they now have skin in the game.

More specific to search (vs. social), the rise of Amazon has become a real threat to Google. Again, this is mostly app vs web, with mobile users opening a well designed Amazon app and searching for a particular product. The ease and simplicity of one click payments and shipping makes for a completely closed loop. The natural response is for Google to be pulled into controlling e-commerce that originates across its search platform, yet it’s unlikely that merchants, even if they’re feeling the pinch from Amazon, are excited about moving more of their relationship to Google. While there will always be tension in this model over “who owns the customer,” the combined Amazon and Google threat creates a very viable opportunity for vertical search and social solutions to thrive. Google and Amazon will inevitably compete on price (the lower the merchant price the better), but optimized vertical search services on the other hand often bring in a different, less price sensitive buyer that merchants find desirable. A good example of this is Wanelo, who leverages it to achieve 10 – 15% in referral fees.

There are several core components to a “Buy Now” button:

  • The end user wants an Amazon or Uber like one click experience. They need their payment method stored securely and easily accessed for repeat purchases. In addition, support for newer payment methods like Apple Pay, Google Wallet and Paypal need to be seamless choices.
  • Ideally the end user stays within the originating mobile app but the commerce still happens with the merchant. By staying within the mobile app conversion can be optimized. By transacting against the merchant’s existing payment infrastructure the money flow is not interrupted. This is key in terms of customer support, refunds and returns etc. This also helps solve the dilemma around customer ownership, since it’s now explicitly shared.
  • Merchants have to allow third parties to freely access and present accurate inventory real-time.

Spreedly helps social and search services securely store and tokenize payment data, and this truly universal token can be used across multiple merchants over time giving complete independence. Then via our wide range of pre-existing integrations to gateways and third party API’s we help ensure the end user can stay in app while the transaction processing still happens via the merchant’s existing processing relationship. What we don’t solve today is supporting the entire product or inventory management component; we at least help by acting as a passthrough, but the development work falls on the social/search platform and merchants to get the integration up and running. That may be why areas like ticketing (SeatGeek) and hotel inventory (Top10) have been early Spreedly adopters: the concept of supporting affiliate sellers was already in place, so optimizing payments and checkout flow was the final piece of the puzzle for them.

The next wave of mobile apps, which startups like Wildcard are helping create, will only increase the desire from end users for a complete end to end search, share and buy within a singular experience. We look forward to helping solve the payments related challenges.

Spreedly’s Take on Apple Pay

For those of us in the payments industry, the announcement of Apple Pay in September was one of conflicting emotions. We found it both exciting and, yet, unfulfilling. Exciting in that it represented a compelling evolution of digital payments, but unfulfilling in that we had so many more questions than were answered in the initial announcement. How does it really work? How does it integrate with the existing card payment process? Can it be unlocked to work with any payment processor?

In the two months since that initial announcement, and the weeks since Apple Pay was actually released, Spreedly has learned a lot about Apple Pay. I’d like to give an update on our plans for supporting Apple Pay and why we’re excited about the opportunity.

How does Apple Pay work?

Much of Apple’s marketing around Apple Pay uses new or existing payment terms in non-standard ways. While this simplifies the consumer message, it makes it difficult to understand how the technology works. Now that we’ve had some time to dig deeper, we understand what’s going on beneath the covers and can talk in more detail about the process.

Apple Pay is unique to Apple and its devices. However, it is enabled by an existing payment specification called the EMV payment tokenization spec. This specification governs how real credit cards are turned into channel-specific alias numbers (PANs), which offer a greater level of fraud protection. Apple utilizes this tokenization process, while adding its own process for getting the alias PAN from the device to the merchant’s gateway.

You can visualize the payment flow, from when the card gets added to iOS’s Passbook through to the transaction hitting merchant account, as follows:

Please feel free to share this diagram

While Apple Pay represents a new, polished, consumer experience, it leans heavily on the existing EMV tokenization spec, which dictates how the alias credit card numbers are issued, identified and converted within the payment process. While it’s likely Apple had a hand in constructing this specification, it is not unique to Apple and can be used by other vendors.

What is unique to Apple Pay is how the payment token is constructed and the role of gateways in decrypting the payment token to expose the alias PAN. At the time of transaction, Apple uses the certificate provisioned by the merchant to encrypt the alias PAN and associated data. This encrypted token is then passed directly to a gateway that supports Apple Pay (and has the certificate’s private key) which knows how to decrypt and unpack the payment token. From this the gateway extracts the alias PAN, which looks just like a normal credit card number, and passes it off to the rest of the payment process for approval.

How will Spreedly support Apple Pay?

Spreedly is not a gateway. It is a credit card vault that integrates with dozens of gateways and other PCI-compliant APIs. So how can Spreedly play a role in the Apple Pay payment process?

If you’ll notice, the responsibilities of a gateway, as it relates to Apple Pay, are minimal. A gateway is really only doing two things: 1) Managing the private key associated with the iOS app’s certificate and 2) decrypting the payment token at transaction time to access the alias PAN. As it turns out, you don’t need to be a gateway to do those things.

If Spreedly assumes the role of the gateway solely in managing the Apple Pay certificate and decrypting the Apple Pay payment token, it can provide a single Apple Pay experience on top of any of the over 70 gateways we support. Additionally, because a payment token looks and acts like a real credit card number to the majority of the payment stack, it can be sent to non-gateway providers like ticketing, travel and other vertical APIs.

Notice how Spreedly’s support of Apple Pay differs only minimally from the conventional, gateway-specific, flow:

At Spreedly, we enable new payment technology across the widest range of payment targets possible, and that’s how we’re approaching Apple Pay.

When can I use Apple Pay on Spreedly?

For customers on one of our current pricing plans, we’re targeting a GA release in the first quarter of next year. We are already hard at work on it and have a few existing customers working with us as we move towards a private beta. If you would like to be included in the beta, please let us know. We’re always interested in understanding your specific use-case and hearing your feedback.

Parclick, Spreedly and Parking Apps

We see a lot of innovative startups in Spain interested in our platform. We also see one of the most difficult payment landscapes for startups to get started. Recently we’ve worked with CatalunyaCaixa to reduce the challenge of working with Spreedly and Redsys and today we share multiple customers. We hope other Spanish banks will soon follow their lead.

One of our newer customers is Parclick. Parclick was born in 2011 right after one of the founders missed half of a concert due to the lack of available parking spots. The founding team thought that people would like to book parking spots in advance just as they book hotels or flights. They launched three years ago and have been growing rapidly ever since. They help car park operators find and retain an attractive source of new revenue: long-stay customers. Drivers benefit too via cost saving parking offers and innovative parking products for both mobile and desktop. And everybody makes their concert in time!

While early traction was impressive, Parclick wanted to improve the payment experience. Put simply, sending customers off to a hosted payment page for payment impacted brand, flow, analytics and ultimately conversion. The goal was to continue to utilize in-country processing for improved credit card success rates and lower processing fees while creating an end to end Parclick payment experience.

“We found out about Spreedly through a friend, the CEO of another Startup that was implementing Spreedly at that time. He described what they were doing with Spreedly and it matched perfectly with what we wanted to do” said Luis Paris, CEO of Parclick.

Spreedly was shortlisted together with two other competitors, and selected after a month of testing.

“We chose Spreedly for several reasons. First, Spreedly had all security certificates we needed to operate payments safely for us and our customers. Next, Spreedly fit perfectly into our technological stack, allowing us easily to implement things like resilience processes for different payment gateway. Spreedly allowed us too to manage both desktop and mobile payments; and last, but not least, they were always ready to help when we needed them” said Ivan Rodriguez, Chief Business Development Officer.

“It took one month to get Spreedly into production, half of what we were expecting. And we are pleased with the performance and resilience of Spreedly; since we started using it we had zero downtime” Ivan added.

Spreedly has helped Parclick to improve their customer experience: “We at Parclick work tirelessly to improve customer experience, and owning the payment process was critical. This applies to using our own payment form that we can design, track and improve. Also to a seamless desktop/mobile payment process. And to easy recurrent payments without compromising our customer’s sensitive data” said Eduardo Layrisse, CMO.

“One very important thing that separates Spreedly from the pack is their prompt technical support, and their willingness to walk side-by-side with customers, to become a partner rather than a provider. This was key for our decision” added Luis Paris.

“Our next challenge is to integrate Spreedly with other payment processors such as Paypal”

Spreedly and track data beta program

One of the most popular buzzwords in the payments space right now is “Omnichannel”. Put simply, mobile devices have blurred the lines between a card not present transaction and a card present transaction (i.e. online vs in-store).  Spreedly has always focused exclusively on CNP transactions, but now we’re taking the first steps to support card present transactions.

One of the reasons we can do this is that many of the underlying gateways we support have added support for track data. As of November 2014, here’s a list of the gateways that we offer track data support for:

  • Authorize.net
  • Moneris
  • First Data
  • Network Merchants
  • Heartland Payment Systems
  • Pay Junction
  • Litle
  • Stripe
  • MerchantWare
  • USA ePay
  • Mercury

Today we’re announcing a beta program for support for track data. Please email support@spreedly.com if you’d like to learn more and/or be involved in the program.

 

Better Engineering Through Book Clubs

Culture is a hard thing to define. It has many layers, many facets, many manifestations and two people looking at the same practices might come to different conclusions about what it implies. Rather than wade into the choppy “what is culture” waters, we thought we could let you come to your own conclusions about the engineering culture here at Spreedly with a quick peek into something we’ve instituted recently – an engineering book club.

Here’s how it works at Spreedly: One of the engineers recommends a book, most often, but not limited to, a legit software development topic. Some recent examples include Distributed Systems for Fun and Profit and Release It!. Each week, after reading the same few chapters, we meet for an hour after lunch to discuss what we found interesting, what applies to Spreedly, anything we didn’t quite get etc…

This type of internal meetup has several benefits. First, it’s a no-pressure learning opportunity. You can interact with your peers and share ideas outside the normal operating environment which strengthens existing relationships and creates new ones. It also establishes the precedence that investing in yourself through continuing education is supported and even expected within the company. Couple the existence of a book club with the fact that reading for the club is encouraged during business hours and you quickly realize that the people are the priority here (much easier to say than to do).

Finally, diving into various engineering topics together allows us to take a moment to reflect on the direction of our production systems, outside the daily grind that can so often obscure this type of blue-sky thought. As a direct result of what we’ve read here at Spreedly we’ve all taken a much more involved role in increasing the resiliency of our systems and in providing operational visibility into its various components. We now also have a shared vocabulary when discussing the growth, operation and architecture of our systems which serve as building blocks for being able to more efficiently discuss complex topics. “Network partition”, “circuit breaker”, “bulkhead” and many others are now a common part of our engineering discussions.

Hopefully this sounds like something you might want to do at your company, if you’re not already. Here are some tips to get started:

  • Take initiative by suggesting a book. You can offer to change the topic later if there is support for something else. Waiting for consensus can be discouraging and time consuming so pick one to get the ball rolling. Choosing fun yet relevant material can go a long way to building critical mass to get the group going.
  • Figure out how supportive your organization is for the book club.  It can be a benefit to your company, so they may offer to “pay” for it by allowing you to use work time for your discussions. If that doesn’t work the next best option may be to schedule it during lunch.
  • It’s good to figure out the right pace.  Perhaps shoot for one meeting per week or every other week. Break up the book into manageable chunks. It is typical for us to finish a book in 4 to 6 sessions depending on the complexity and volume of material.
  • Encourage people to take notes of things they find interesting to help spark discussions. Point out any parts of the book that might be confusing or solicit questions of concepts that could use clarification. Having lively discussions will be important for maintaining the level of interest and the viability of the group.
  • Consider inviting outside participants. We’ve attended sessions where we had people from other nearby companies drop by. It livens up the conversation and keeps you from devolving into your company’s technical debt.
  • If having people buy their books is a financial concern, don’t forget about all the free technical content out there. There are quite a few blog series, videos and presentations online that can serve as the basis for your club.

There’s quite a bit more to Spreedly engineering than our book club, but we thought a quick peek into this one aspect would give you an appreciation for what we’re trying to accomplish here as we grow the team and build out our systems.

The Real Cost of Building and Maintaining Your Own Credit Card Vault

We often receive inquiries from potential customers who are looking for an independent credit card vault and are in the process of weighing up whether to use a third party service like Spreedly or build their own solution.  Given the importance of securely storing customer credit card data and the consequences of getting it wrong, the build-vs-buy choice represents a significant decision for any organization irrespective of size.  Like with most important strategic decisions, cost and time-to-implement play an important part in the decision-making process so we thought it would be helpful to break down what is involved in building a PCI-compliant credit card vault.

Human and Physical Resources

For many organizations the most significant costs in developing their own credit card vault relate to additional staffing and hardware requirements. To ensure the project doesn’t become a distraction to your core business, you’ll probably need at least one full-time employee to cover compliance, security, and the additional hardware maintenance required to maintain your own vault.  For companies with an existing compliance and security team, it may be possible to reallocate personnel to cover the additional workload. However for smaller organizations the need to hire at least one additional employee is likely unavoidable. The larger and more complex your needs, the more personnel you will require.  The additional staffing cost will depend on the market, but you can expect to spend at least an additional $70-100k a year on personnel costs.

Then there’s the additional hardware you will likely need to support your new credit card vault.  For a start you will need dedicated firewall, database, application, and utility servers together with all of the additional switches and hardware necessary to maintain your secure vault (including failover systems).  You’ll then also need to pay hosting fees for all the necessary hardware.  Total cost = $60-70k initial set-up with annual maintenance and upgrade costs of $40-60k.  Want geographic redundancy?  Double the cost.  Of course you can always elect to lease the necessary equipment, in which case you will be able to eliminate the bulk of the upfront purchase cost but as a consequence pay a higher annual fee of between $80-100k.

PCI Compliance

Perhaps the greatest unknown when it comes to storing credit card data is the PCI compliance gauntlet.  Elsewhere we’ve covered the process of becoming Level 1 compliant extensively and Spreedly’s own PCI compliance, and engaging with and working with a Qualified Security Assessor (QSA) is both a time and resource-intensive process that has the potential to create a huge distraction within an organization.  QSA’s quite rightfully take their responsibilities seriously and won’t sign off on a Report on Compliance (ROC) until they’re 100% satisfied that a company’s systems are fully-compliant.  There’s no doubt that the initial certification process is the most time-consuming and expensive step in the certification process, but every Level 1 PCI-compliant organization is required to undergo an annual re-evaluation by a QSA to confirm ongoing compliance.  QSA rates will vary and some estimates put the cost at $225k+ per year for many organizations, but in our experience smaller organizations can expect to pay between $35k-100k a year.

Insurance

An often ignored aspect of maintaining a credit card vault is the extra insurance you will need to carry to cover your organization in the event of a data breach.  Given the recent high profile Target and Neiman Marcus data breaches, credit card vaults are viewed as high risk prospects for insurance companies, which translates to them being expensive to insure.  The total cost will depend on the number of cards you plan to vault, the amount of coverage you require and your existing insurance relationship, but for a basic policy (e.g. $1-2 million coverage) it’s not unheard of to pay over $50k a year.  That will cover you for any fines issued by the card networks, security upgrades and your notification obligations to affected card holders.  These costs can quickly escalate for large scale breaches so insurance is a “must have”.

Technical Readiness

It is also important to consider is how technically prepared your organization is to handle credit card vaulting.  Probably the most significant factor to consider is what your code base looks like and whether you can easily isolate card storage/processing from it.  If you built your system with the idea of one day hosting your own PCI-compliant credit card vault and payment processing environment, then great, you’ve already overcome one of the largest technical hurdles.  If, on the other hand, you didn’t originally factor in the possibility of hosting your own vault then the process will be far more complicated, time intensive and perhaps most importantly – expensive.  If you’re fortunate and fall in the first bucket, then  you can expect to spend 2-4 months updating your code and developing the technical framework to support your vault, but if your code requires a serious overhaul it could take anywhere from 6-12 months before you’re ready to even engage a QSA.

Time to Market

There’s no hiding the fact that building a PCI-compliant credit card vault takes time – and a lot of it! Depending on your level of readiness you’re realistically looking at a minimum of 6 months if all goes smoothly to 12+ months if your QSA uncovers any issues that need to be rectified before they can certify your compliance.

Total Cost

All up, the average organization can expect to pay ~$200-340k to build an independent credit card vault with a 6-12 month timeframe, and annual maintenance costs within the same ballpark.

Of course the actual costs for each organization will differ based on their unique circumstances and geography, but hopefully this gives a rough estimate of the costs involved in building your own PCI compliant credit card vault.

Spreedly and Marketplaces

We consistently receive interest from developers looking to build a marketplace. We’re really only a good fit with one type of marketplace, which I’ll discuss below. First let’s talk about marketplaces overall. In many ways this post is an update to one we did a while back.

Defining a Marketplace 

There are 3 or 4 major functional components to a marketplace

  • Easily create a merchant account when onboarding a new seller to the marketplace
  • Take a percentage of each transaction as a fee while the transaction is occuring
  • Accept payments in the marketplace any way possible but mostly via credit cards
  • Pay out to sellers, once the money has been collected and the marketplace has taken its share, via ACH/bank transfer (cost savings)

Why are marketplaces so popular? 

The ease with with anyone can now accept credit cards (immediate onboarding) has allowed marketplace services to rapidly onboard all types of sellers that previously couldn’t accept online payments or were forced to only use PayPal as a payment method. What took someone like Etsy many months of development work can now be achieved in days.

Global

We should point out that right now, July 2014, no one is doing marketplaces globally. PayPal has adaptive payments (which we don’t support) but that is fairly complex and has never really taken off.  There are some good U.S focused offerings (Balanced PaymentsStripe and Braintree) and there is a rumor that PayPal is launching something soon that will be global. PayMill in Europe also talks about having marketplace support. However, these are very regional options. You can’t (easily) create a global marketplace today like you can a U.S one.

Spreedly as a marketplace offering

Spreedly has some characteristics that are useful for marketplaces. Card storage and tokenization means that once a buyer is set up in your marketplace they can buy from other vendors in your marketplace without re-entering data. Secondly, we support a wide range of global payment gateways. But our model differs in three critical ways:

Existing merchants. We service marketplaces where the majority of sellers already have a merchant account and expect to use that merchant account in your marketplace. That’s where our support for 60 + gateways/PSP’s comes in to play. Imagine a marketplace for beach rental properties. Chances are, people who already rent their beach house are accepting credit cards. If you’d like them to list in your marketplace it would help to let them keep using their primary merchant account.

That does not mean you can’t use us with someone like Stripe or Balanced to quickly enable new sellers who don’t have a merchant account. You just have to decide whether support for existing merchant accounts is going to be important to your marketplace. It’s certainly easier in many ways to not provide that choice.

No ACH disbursements: Due to the fact that your sellers have their own merchant account ACH disbursements are redundant. So we do not have support for ACH disbursements. One upside here is you’re free from the flow of funds and therefore the risk of chargebacks.

Revenue Model: Lastly, and this is the big one, we don’t support taking a % of the transaction unless the underlying gateway also supports it. Some like Balanced and Stripe do. However, most don’t. So it’s unlikely you can default to that model for how you get paid if you are using Spreedly. You could track the overall revenue and charge a seller separately on a transaction or monthly basis. Or you could just have a flat monthly fee to be in your marketplace.

So in summary, Spreedly is really only viable as a marketplace platform if you expect the majority of your sellers to already have, or easily get, their own merchant account and use it on your platform. Current industry trends might mean that’s going to be a more viable approach than a single vendor executing on a global strategy. Time will tell.

 

The Path to PCI Compliance

A number of years ago I was working on a product that enabled groups of people to communicate with one another and collaborate as a community – lets call it “AwesomeGroups”. We began to think there could be a revenue stream in features that allowed clubs and associations to collect membership dues or other monies. Here is what we thought we needed:

  1. Money should flow into the association’s bank account.
  2. Members must be able to use credit cards.
  3. We would host the payment flow ourselves.
  4. Credit cards had to be stored to enable recurring payments.

We looked at PayPal, Amazon Payments, and the like. None of those solutions were capable of helping us fulfill our plans. So we dove deeper into the details of collecting and storing credit cards, connecting to various payment gateways, and keeping track of all the transactions.

While there were many challenges we began to perceive, the one that concerned us the most was the collection and storage of credit cards. The costs of meeting the Data Security Standards of the Payment Card Industry were difficult to quantify. Everything we were reading led us to believe we would have to rethink every aspect of our system, including a move from our cloud host to a high security data center!

Missing the Forest for the Trees

The idiom “missing the forest for the trees” captures well the sense of what I experienced on that project. There were so many details surrounding compliance that we had missed the point of it all!

AwesomeGroups already had a custom payment form on it. Credit card information was sent to our servers, then forwarded to Authorize.net for storage and recurring billing of the monthy fees the associations paid to use the application. Somehow, we came away from our research with no idea that we had already placed ourselves in a position requiring us to be compliant with the PCI Data Security Standards!

The fact that escaped me then may be perfectly clear to you: if any part of your systems ever sees a credit card number, you are responsible for ensuring those solutions are compliant with PCI DSS. Credit card numbers are like gold, and the systems that request them and move them are like armored trucks – high value targets for the criminally minded. There may be mechanisms in your system which represent the weakest link in a chain of transacting. All a hacker need do is compromise your system and send to himself a copy of every credit card your program forwards to Braintree. You may never know it’s happening because you’ve done little to prevent it and nothing at all to detect it!

Perhaps you’re looking for the perspective I wish I’d had at the beginning of my research. The goal of this post is to help you step away from the trees and have a look at the forest.

Who’s Who

There are a number of entities involved in the processes that make the credit card payment ecosystem function. In the pursuit of understanding the world of PCI DSS, here are the most relevant:

  1. Merchants are people who sell stuff they make or services they provide. Most of them believe that they must take payment in forms other than cash. In the modern world, that means they must accept credit cards.
  2. Card Associations are known by brand names like Visa and Mastercard. These are networks of banks that issue credit cards (issuing banks) to customers and banks that provide merchants with the ability to charge a customer’s credit card (acquiring banks).
  3. Cardholders are customers who want to buy things from merchants. It’s super convenient to use a credit card. Cardholder data is the account number and sensitive authentication information, including the CVV code. Most customers believe this is more secure than carrying around cash. We all have an interest in making this as true as we can.
  4. Service Providers are the companies that provide card storage or processing products and services, whether to merchants or cardholders. Spreedly is a service provider, as are other companies such as Stripe. Payment gateways are service providers. Any company that makes Point of Sale systems (NCR, IBM) is a service provider. AwesomeGroups was a merchant, and could have been a service provider.
  5. Payment Application Developers and Integrators build and deploy hardware and software systems that merchants purchase to facilitate transactions using credit cards. These fall under the Payment Application Data Security Standard (PA-DSS). I list them here because merchants are encouraged to adopt solutions by these approved vendors, thereby easing their compliance burden.
  6. The Security Standards Council is made up of 5 major card associations. The council has produced the Data Security Standards as the representative requirements placed upon any other interested parties which process, store, or transmit credit card data, including companies that make hardware and software components for those purposes. In other words, they tell merchants, hardware manufacturers, application developers and integrators, and service providers what it means to secure the data owned by the card associations.
  7. Approved Companies are the organizations and people certified by the Security Standards Council to be expert in some aspect of bringing about the plans and verifying the implementations of the Data Security Standards. These folks know how to audit and test systems that process, store, or transmit credit card data.

Spreedly is a merchant and service provider. We are also a customer of a number of merchants that provide various services to us. Our platform interacts with payment gateways, which are service providers themselves, and must be PCI compliant. We are level one (L1) compliant, which means we know a good deal about the requirements set forth by the Security Standards Council, and we have engaged approved companies to assess our systems and provide regular scanning services. We are not considered a payment application developer or integrator because the solution we provide is not installed in an environment out of our control.

Scope

Scope refers to all of the components in your system that are subject to the requirements of the Data Security Standards. Scope refers to the collection of components – computers, routers, switches, physical or virtual – that process, store, or transmit cardholder data, known as the cardholder data environment, or CDE. Understanding scope when you begin to implement your solution is the same as buying an ounce of prevention. It is possible to build systems that cost substantially more under PCI DSS than others. More importantly, misunderstanding scope can lead to components which do not undergo proper care to protect your customer’s data.

If you have one computer serving a single HTML page, and that page contains a link to an offsite payment page, your scope is very small. You need only show that this single computer meets the requirements of PCI DSS. Imagine three networks comprising 20 computers which are somehow involved in the storage, processing, or transmission of card data – databases, log aggregators, application servers, load balancers, and more! If your system requires these components in order to implement the necessary cardholder data flow of your business, there’s not much you can do to reduce the scope.

On the other hand, you can expand your PCI DSS compliance scope unnecessarily by:

  • Granting access to the CDE to persons who do not need it. This would include anyone who is not responsible, in some way, for maintaining the components of the CDE.
  • Connecting components to the CDE that are not at all involved in the cardholder data flow, but grant access, in some form, to in-scope components. These systems must be as secure as any other in the CDE, and they will need to be maintained in a similar fashion.
  • Running unrelated software on in-scope components. These applications will undergo scrutiny, and they may expand the pool of people who have access to the CDE unnecessarily.

Every system can implement choices that dramatically increase or reduce it’s scope.

Online merchants can completely eliminate their scope by using a hosted shopping cart solution, such as Shopify. In this case, the merchant does not generate a single page of HTML, avoiding even the risk of having links to an external payment solution hijacked!

Both merchants and service providers can reduce their scope by outsourcing some aspects of their system to a PCI DSS compliant service provider. AwesomeGroups, if it had become a service provider to associations which wanted to accept dues from members, could have used Spreedly to store and process the cards, limiting its scope to the HTML page that presented the credit card form. Again, the application would still be subject to compliance requirements, but the validation of it’s compliance would be a much easier task.

As you become more acquainted with the DSS, you’ll agree that limiting your scope by having as few components as possible handling card data is a good thing, both in terms of reducing the risk of breach as well as the costs of maintaining PCI compliance. Check out this helpful guide as you further evaluate your scope concerns: http://itrevolution.com/pci-scoping-toolkit/

Levels of Compliance

Achieving compliance is the work of building a secure system with the smallest scope necessary. Assessing compliance, or validating compliance, can be accomplished through one of two paths:

  1. Complete a Self Assessment Questionnaire (SAQ). Someone in your business who understands the scope and implementation of your system will be a key player in doing this well.
  2. Engage a Qualified Security Assessor (QSA). These approved companies will figure out what is in scope, review the configuration and authentication controls of components, and interview people. They produce a very detailed Report on Compliance (ROC), which is intended to demonstrate the extent of their audit, recording their findings.

In either case, you will sign an Attestation of Compliance (AOC). This is a sworn statement that, to the best of your knowledge, your business processes, stores, or transmits cardholder data in a way that is 100% compliant with PCI DSS.

Which path should you take? PCI DSS compliance levels are not a measure of degree of compliance, but a guide to the path you must take to assess your compliance with PCI DSS. We have a table showing the compliance levels on our site where you can see that levels are determined by the scale of transaction activity in a business. Small online merchants processing 20,000 or fewer transactions per year are considered to be level four (L4) businesses. A large merchant clocks in at 6 million or more transactions per year, making them a level one (L1) business. Your transaction volume should inform you of your level, which will in turn direct you down the path to assessing your compliance with PCI DSS. However, note that according to documents from the Security Council, “Only the acquiring financial institution can assign a validation level to merchants.” If you’re a merchant, before you invest a lot of time on a particular path, it may be wise to ask your acquiring bank what level they assign to your business. Service providers may not have an acquiring bank and will simply work from transaction volume to choose the path to take.

L1 merchants and service providers must engage a QSA. While this is an expensive proposition, as it involves a lot of time and communication, you may be able to see why the card associations believe it’s a good idea to have someone validate your claim to be protecting all their gold! L2 and L3 merchants may need to do the same, according to the requirements of their acquiring bank. For instance, there may be certain types of businesses which represent a greater perceived risk of breach, or a business has failed to protect data in the past and must now be subject to greater accountability. However, many L2 and L3 merchants may self-assess, using the appropriate SAQ. All L4 merchants can use a SAQ.

There are a variety of Self Assessment Questionnaires because there are a variety of processing models. We have listed a categorization of the merchants on our site, showing which SAQ needs to be completed, depending on how a business uses various technologies – or does not use them – to process cardholder data. We would encourage you to read the guide provided by the Security Council, designed to help merchants determine which SAQ to use.

If you are a service provider, take note that you must use SAQ-D at levels 2, 3, and 4. This is the most thorough of the questionnaires. Service providers build technology that other businesses will use in their own PCI DSS compliant systems. Why not hold them to a higher accounting!

It may be tempting to pursue compliance at a level higher than your current transaction volume, believing you will one day supplant Amazon.com. You should delay the cost if your business is actually processing at a lower level. Nothing you do well for L4 is going to be a problem for L1.

Cost of Compliance

What most merchants and service providers really want to know when they get started is how much it’s going to cost to achieve and validate compliance. This is a function of both scope and the path of assessment as both of these factors impact nearly every other aspect of the cost, whether by increasing the number of components that need to be analyzed or the number of people involved. There’s no easy answer to the question of cost because no two businesses are the same, whether you look at their business model, management team, technology team, or current systems.

The best you can do at cost estimating, until you develop a record of compliance expenditures in your business, is ask Google. I can tell you from our experience at Spreedly, when I last looked at the search results, $225,000+ for L1 compliance is not unrealistic! Don’t forget, these are not one-time expenses. PCI DSS requires ongoing maintenance and annual re-scoping and re-assessment. Even small merchants, which must purchase and operate certified equipment in a compliant environment, can see costs far exceeding their expectations.

Conclusion

I can see in retrospect that we were right to be very concerned about the cost of implementing credit card storage solutions in AwesomeGroups. I’d like to think this post would have helped us to quickly understand what our responsibilities were as well as expose us to terminology that would have helped us imagine creative solutions our business could afford. We could have integrated with a PAN tokenization service like Spreedly, dramatically reducing our scope, thereby affording the opportunity to really explore the viability of the features we wanted to build.